Cryptography for Mere Mortals #12

An occasional feature, Cryptography for Mere Mortals attempts to provide clear, accessible answers to questions about cryptography for those who are not cryptographers or mathematicians.

Passwords, part 1

Q: Why does it seem like after every website hack, we’re told both “We don’t believe passwords were compromised” and “You should change all your passwords”?

A: “It’s complicated”—the answer has multiple facets.

First, remember that the word “believe” is in there: the company doesn’t want to say “Your password is absolutely safe”, because, as we’ve learned repeatedly, the facts surrounding a breach tend to evolve. So even if the first indications are that there was essentially no risk—say, the passwords were hashed with a salt and then stored in an database protected with strong encryption, and the breach was that someone stole a laptop containing the encrypted database—it might turn out later that things weren’t as secure as believed (the laptop’s owner finally admits that there “um, might be a Post-It in the bag with the machine that has the database password on it…and oh, yeah, we also discovered that the update to salt the passwords didn’t ‘take’, so they’re just hashed…”).

Second, by now the public expects to hear “Reset your password” after a breach, if anything vaguely resembling passwords was involved. Thus the concern is that it would sound unconvincing to say “Oh, no, don’t worry, your passwords are safe, honest, trust us!”—especially when you consider that the biggest post-breach problem the victim is usually worried about is contained in that word “trust”: the stolen data is stolen, gone, nothing they can do about it except figure out how it happened and keep that from happening again; what they need to do is convince their customers that it’s OK to continue doing business with them.

Third, we all know that changing passwords periodically is a good idea anyway and that we don’t do it often enough (except for those sites that force us to, and we grumble when they do so). So when LinkedIn gets breached and everyone is told “Change your passwords”, the folks who don’t use LinkedIn ignore the advice; but then when eBay gets hit, a bunch more will respond. So the net is that more people get around to changing their passwords, which is a public good.

The risk, of course, is “breach fatigue”: that people hear this so often that they stop paying any attention to news about breaches, and never change their passwords!

And of course if Voltage SecureData is used, then the cost of a data breach is minimized—persistently protected data is of no value to an attacker, and in fact does not trigger breach notification requirements in most cases.